register oauth client cross-origin error #106
Description
hi team,
I am testing mcp example in modelcontextprotocol/inspector. I got CSRF error.
this is my debug logs:
[DEBUG RESPONSE] ---
[DEBUG REQUEST] OPTIONS /register HTTP/1.1
[DEBUG REQUEST] Host: idp.tailb99c7.ts.net
[DEBUG REQUEST] RemoteAddr: 100.112.134.105:54659
[DEBUG REQUEST] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
[DEBUG REQUEST] Headers:
[DEBUG REQUEST] Cache-Control: no-cache
[DEBUG REQUEST] Sec-Fetch-Site: cross-site
[DEBUG REQUEST] Sec-Fetch-Dest: empty
[DEBUG REQUEST] Access-Control-Request-Headers: content-type
[DEBUG REQUEST] Origin: http://localhost:6274
[DEBUG REQUEST] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
[DEBUG REQUEST] Sec-Fetch-Mode: cors
[DEBUG REQUEST] Referer: http://localhost:6274/
[DEBUG REQUEST] Accept-Encoding: gzip, deflate, br, zstd
[DEBUG REQUEST] Pragma: no-cache
[DEBUG REQUEST] Access-Control-Request-Method: POST
[DEBUG REQUEST] Accept-Language: en-US,en;q=0.9
[DEBUG REQUEST] Accept: */*
[DEBUG REQUEST] Connection: keep-alive
[DEBUG REQUEST] Body: (empty)
[DEBUG REQUEST] ---
[DEBUG RESPONSE] Status: 204 No Content
[DEBUG RESPONSE] Headers:
[DEBUG RESPONSE] Access-Control-Allow-Origin: *
[DEBUG RESPONSE] Access-Control-Allow-Methods: POST, OPTIONS
[DEBUG RESPONSE] Access-Control-Allow-Headers: *
[DEBUG RESPONSE] Body: (empty)
[DEBUG RESPONSE] ---
[DEBUG REQUEST] POST /register HTTP/1.1
[DEBUG REQUEST] Host: idp.tailb99c7.ts.net
[DEBUG REQUEST] RemoteAddr: 100.112.134.105:54659
[DEBUG REQUEST] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
[DEBUG REQUEST] Headers:
[DEBUG REQUEST] Content-Length: 298
[DEBUG REQUEST] Sec-Ch-Ua-Platform: "macOS"
[DEBUG REQUEST] User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/142.0.0.0 Safari/537.36
[DEBUG REQUEST] Sec-Ch-Ua: "Chromium";v="142", "Google Chrome";v="142", "Not_A Brand";v="99"
[DEBUG REQUEST] Accept: */*
[DEBUG REQUEST] Sec-Fetch-Site: cross-site
[DEBUG REQUEST] Origin: http://localhost:6274
[DEBUG REQUEST] Referer: http://localhost:6274/
[DEBUG REQUEST] Connection: keep-alive
[DEBUG REQUEST] Pragma: no-cache
[DEBUG REQUEST] Content-Type: application/json
[DEBUG REQUEST] Sec-Ch-Ua-Mobile: ?0
[DEBUG REQUEST] Sec-Fetch-Dest: empty
[DEBUG REQUEST] Accept-Language: en-US,en;q=0.9
[DEBUG REQUEST] Cache-Control: no-cache
[DEBUG REQUEST] Sec-Fetch-Mode: cors
[DEBUG REQUEST] Accept-Encoding: gzip, deflate, br, zstd
[DEBUG REQUEST] Body:
{"redirect_uris":["http://localhost:6274/oauth/callback/debug"],"token_endpoint_auth_method":"none","grant_types":["authorization_code","refresh_token"],"response_types":["code"],"client_name":"MCP Inspector","client_uri":"https://github.com/modelcontextprotocol/inspector","scope":"email profile"}
[DEBUG REQUEST] ---
[DEBUG RESPONSE] Status: 403 Forbidden
[DEBUG RESPONSE] Headers:
[DEBUG RESPONSE] Content-Type: text/plain; charset=utf-8
[DEBUG RESPONSE] X-Content-Type-Options: nosniff
[DEBUG RESPONSE] Body:
cross-origin request detected from Sec-Fetch-Site header
[DEBUG RESPONSE] ---
I think we should exempt /register and /token from CSRF protection for testing, maybe we can add another flag in https://github.com/tailscale/tsidp/blob/main/server/server.go#L267-L278